CVE-2021-39133

Impact: Moderate

Affected Versions: < 3.4.3, < 3.3.14

Patched Versions: 3.4.3+, 3.3.14+

Description

Cross-Site Request Forgery (CSRF) can run untrusted code on Rundeck server

Impact

A user with admin access to the system resource type is potentially vulnerable to a CSRF attack that could cause the server to run untrusted code on all Rundeck editions.

Patches

Available in Rundeck 3.4.3+ and 3.3.14+

Workarounds

As a user with admin access, always avoid following untrusted links.

Scan outbound URL requests from the Rundeck server for untrusted destinations or content.

To disable the vulnerability completely in Rundeck, deny admin level access to system resource to all users. This can be done by adding the following ACLPolicy file. This has side effects of disabling other admin level actions to the application, but will mitigate the issue.

description: Deny system admin access to all users

context:
  application: 'rundeck'
for:
  resource:
    - equals:
        kind: 'system'
      deny: 'admin'
by:
  group: '.*'

For more information

If you have any questions or comments about this advisory:

• Email us at security@rundeck.com

To report security issues to Rundeck please use the form at https://rundeck.com/security